Category Archives: Software

DETEKT

EFF and other fine groups announce DETEKT, a spyware detection tool. It’s a joint project with Amnesty International, Digitale Gesellschaft, and Privacy International. Read the disclaimers and instructions carefully.

Note also that they seem to be on a very short release cycle: I downloaded version 1.1 at work yesterday (nothing detected), and just downloaded version 1.3 at home today.

Disclosure: I’m a proud member of the Electronic Frontier Foundation Advisory Board.

Posted in Software, Surveillance | Leave a comment

Shellshock Still Kicking

arghOh, joy: despite a vigorous round of patching, Shellshock isn’t dead, and isn’t even resting:

Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.

"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

— iTnews.com.au, Further flaws render Shellshock patch ineffective. Spotted via Slashdot

Posted in Internet, Software | Leave a comment

Shellshock: It’s as if Flesh-Eating Bacteria Were Poised to Eat Your Server

arghAnd all your linux-embeded devices with any Internet access. From the sound of it, that’s about how bad the “shellshock” bug in Bash is:

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

— Slashdot, Remote Exploit Vulnerability Found In Bash.

Shellshock name spotted on Errata Security (good blog BTW), and the faithful INQ, which shares the cheerful fact that the NIST vulnerability database “rates the flaw 10 out of 10 in terms of severity.”

Update: It looks as if patching severs will be easy – mine is already done. The real problem will be patching devices with embedded linux. To achieve that the consumer needs (1) to know the device exists, is connected to the internet, and is under your control — all sometimes much less obvious than one might imagine; (2) the device has to be patchable; (3) there has to be a patch; (4) the consumer has to know where to go to get the patch; (5) the consumer has to be able to apply it.

Internet of Things considered dangerous?

Update2: This is a nice test for the Shell Shock / shellshock vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it returns something like

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

You are fine. But if it says,

vulnerable
this is a test

Then you have the bash bug.

Posted in Software, Sufficiently Advanced Technology | Leave a comment

Gripe (Small)

WordPress released a new version of its TwentyTen theme.  Would it kill them to include a changelog?

Posted in Software | 2 Comments

Iodine – Could be Handy

Meet Iodine:

iodine by Kryo

iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.

It runs on Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows and needs a TUN/TAP device. The bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream.

Compared to other DNS tunnel implementations, iodine offers:

Higher performance
iodine uses the NULL type that allows the downstream data to be sent without encoding. Each DNS reply can contain over a kilobyte of compressed payload data.
Portability
iodine runs on many different UNIX-like systems as well as on Win32. Tunnels can be set up between two hosts no matter their endianness or operating system.
Security
iodine uses challenge-response login secured by MD5 hash. It also filters out any packets not coming from the IP used when logging in.
Less setup
iodine handles setting IP number on interfaces automatically, and up to 16 users can share one server at the same time. Packet size is automatically probed for maximum downstream throughput.

See the README, the CHANGELOG and the man page

Wiki, bug tracker, source browser and more is available at our trac page. iodine is released under the ISC license.

Test your DNS setup here: http://code.kryo.se/iodine/check-it/

Free wifi in hostile environments like some other universities? And airports and cafes?

Posted in Software | Leave a comment

Text Missing from Firefox 27.0.x Tabs (Solved) (Updated)

TLDR: FF27.0.x + FEBE 7.3.0.1 causes text (but not icons) in FF tabs in additional FF windows to vanish after FF restart. Solution: upgrade to FEBE 8.0 beta. Do not blame Tab Mix Plus. Update: see below.

Long version: After upgrading to Firefox 27.0 (and FF 27.0.1) I began to experience an annoying bug. I am in the habit of having a lot of tabs open at once. Thanks to Tab Mix Plus, one of my very favorite addons, I can have the tabs arranged in multiple rows and they stay big enough to have an idea of which is which.

I also tend to have at least two firefox windows open, one for each monitor. I also use the session manager in TM+ to restore my tabs when I close and re-open firefox.

After the upgrade to FF 27.0, I found that the text was vanishing from the tabs when I did a re-open. The icons were there, but the rest was blank. This didn’t happen in the first window I opened, but it was happening in the second window, and every new window. The problem didn’t happen if I closed all the tabs before shutting down firefox. It did happen whether I used TM+’s session manager of FF’s native session manager (yes, I even if I unchecked the setting the in FF privacy manager that tells it to forget my browsing history).

I figured this was a Tab Mix Plus issue. The extension is so powerful that it regularly has issues when I update Firefox. But his time, disabling TM+ didn’t solve the problem.

So it was time to start disabling all my many other extensions in the hope of finding the culprit. This is tedious, even doing half at at time, but it did reveal that the source of my problem was FEBE, the Firefox Environment Backup Extension. Upgrading to FEBE version 8.0beta solved the problem. The beta actually looks a lot better than the old version (the author says it is a complete rewrite and I believe it). It seems noticeably faster, and (hooray!) it allows you to add incompatible add-ons to the ignore list from an interactive dialog as the backup is happening, rather than having to go to the preferences after the backup is over.

If you are updating FEBE from an old version be sure to delete existing FEBE preferences before the update. Tools > FEBE > FEBE Options > Advanced > Clear FEBE preferences.

After the install, whether or not this a new install, you MUST go to Tools > FEBE > FEBE Options. The only option that absolutely must be set is your Backup destination directory under the Where to backup tab. Without this it will not work.

Update: Having tried to fix this on a second computer, I have to agree with commentator parabel that in fact TM+ is involved in some way. With FEBE updated to the beta, I was only able to get a second window to open properly — but not a third. Disabling TM+ solves the problem, but I lose all the TM+ functionality.

Update 2: As noted by commentator John, installing Tab Mix Plus version 4.1.3.1 seems to fix the problem. Yay!

Posted in Software | 8 Comments

Happy Data Privacy Day

Today is Data Privacy Day. Start your celebration with Unqualified Offerings:

Snowden’s revelations must be especially hard on the psychiatric profession. If one patient dismisses the idea that the government is spying on him, and the other is convinced that the government is working with major electronics manufacturers to put listening devices in his personal belongings, which one do you diagnose as being unable to distinguish reality from fantasy?

At a University committee meeting recently, I suggested the University should provide us all with encryption so we can protect our data on our computers, and in transit, as it was at risk of interception. The ranking University official at the meeting smiled dismissively and said something along the lines of ‘Well, if you are worrying about that…”. I said, “but it’s national policy – the President announced it.” He stopped smiling.

Posted in Cryptography, Software, Surveillance | Leave a comment